Circuit arrangement for protected data transmission, particularly in ring-shaped bus systems

ABSTRACT

The present circuit arrangement allows data, which are necessary for building up fault-tolerant structures, to be transmitted on standard ring-shaped bus systems. Its implementation requires a monitoring unit and input and output units which transmit or receive data for control. The circuit arrangement handles the task of detecting any faults which can become a danger for the process within a machine or plant. Due to its internal configuration, the circuit arrangement identifies any fault even before the detection of the fault and initiates a protected switch-off. In this arrangement, it is of no importance whether it is the external control unit or the bus system used which is responsible for the fault.

CROSS-REFERENCE TO RELATED APPLICATIONS

Not Applicable

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH & DEVELOPMENT

Not Applicable.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to a circuit arrangement for protected datatransmission, particularly in ring-shaped bus systems.

2. Description of Relevant Art

In machine and plant construction today, movements and processes are notinfrequently controlled which represent a danger to the life and healthof persons, particularly the operating personnel, in the case of a faultor if they fail. Apart from these dangers, however, valuable machineparts must also be protected which can suffer great financial damage inthe case of possible malfunctions.

Any faults which may occur must, therefore, be recognized by the processor the existing control facilities and the machine should always bedriven in a state which can be considered safe. As a rule, redundantstructures are necessary for this which monitor the safety functionsindependently of the actual control. In machine or plant construction,detection of a single error is frequently sufficient for faultdetection. After this fault has been detected, the control process canthen be interrupted and stay in a safe state. This prevents any damageby faulty continuation of the process.

The methods for fault detection and the measures necessary for these arestated in international standards DIN V VDE 0801 and DIN ISO 61508. Bymeans of the principles given in these standards, the manufacturers ofautomation equipment have developed in recent years different strategieswhich allow safe transmissions on bus systems, see, for example, the“profibus with F-Profil, PNO and safety-bus P by Pilz and Sick.

In addition, control systems will reach the market which already haveinternally redundant structures and thus, in interplay with saidsafe-bus systems, allow fault detection; see, for example, the bussystems from Siemens, particularly the equipment series S 7 400 F, orthe PSS 3000 series by Pilz.

However, the methods implemented there can only be used with completelynew installation of the necessary components and protect onlyinadequately against systematic faults.

BRIEF SUMMARY OF THE INVENTION

Instead, the invention has the object of detecting faults in a processwhich is only built up with standard units.

In addition, it should preferably be not only any faults occurring inthe transport of data via a bus system used, but also disturbances orprogramming errors in the control device which are detected andeliminated.

The circuit arrangement thus represents an implementation of a methodwhich has already been filed under the post-published German patentapplication no. 198 57 683.8, the full extent of the content of which isalso made the subject matter of the present patent application byreference.

The method is particularly suitable for all ring-shaped bus systems, thetechnology described being optimally adapted for the interbus standard.In this case, a requirement profile was already worked out at thebeginning of 1999 and then published, IEE journal, April 1999, KarstenMeyer-Gräfe: “Interbus goes Safety”.

BRIEF DESCRIPTION OF THE DRAWINGS

In the text which follows, the invention is described in more detail,referring to preferred embodiments and the attached drawings, in which:

FIG. 1 shows the configuration for a first embodiment of a system forprotected data transmission,

FIG. 2 shows the internal configuration of the peripheral safety-relatedunit of the system for protected data transmission.

DETAILED DESCRIPTION OF THE INVENTION

In the text which follows, the invention will be described in greaterdetail, initially by referring to FIG. 1. FIG. 1 shows a suitableconfiguration for such a system.

The control unit (1) handles all control functions in the process as isknown, for example, from the conventional interbus system. The controlunit (1) also detects possible faults and can interrupt processes orbring them to a safe state.

In the case of its own failure or in the case of faulty data transport,however, the control unit (1) is conventionally not able to produce thedesired safe state. This failure also occurs, for example, if there isextensive separation between process control and safety control in thecontrol system. Since there is conventionally no redundancy here,either, an undetected fault may have grave consequences.

According to the invention, other components are added which detect andeliminate a possible fault. These units are: a peripheral monitoringunit (4) and one or more peripheral safety-related units (9) in theprocess, which are only necessary where safety-related data are receivedor transmitted.

The control unit (1) contains a data map register (2) which sends alloutput data and other checking signals via the data line (13) to theperipheral units (7, 8, 12, peripheral safety-related unit 9 andperipheral monitoring unit 4).

Since the bus transport works in a similar way to a shift register, allperipheral units send their input data to the control unit in the samebus cycle via the return line (14) and these data are available in thedata map register (3). In a subsequent SPC (stored-program control)cycle, the SPC then processes the data from its two map registers (2, 3)and thus generates the necessary state for the process.

Without the peripheral monitoring unit (4) and the peripheralsafety-related unit (9), however, the SPC is not capable of controllinga programming error, a state due to disturbance or failure or a dataerror due to the wrong bus transport. The peripheral monitoring unit(4), therefore, contains its own microprocessor which monitors thetransmitted data of the SPC and only examines the safety-relatedquantities for appropriateness, particularly their correctness.

Thus, the peripheral monitoring unit (4) with the transfer unit (5) iscapable of monitoring the SPC. However, the peripheral monitoring unit(4) can also additionally read the data of the inputs of the peripheralunits via the transfer unit (6) installed in the return path. Since theperipheral safety-related unit (9) also forwards its output information(D3) directly to the input section of the bus unit (23), it is possibleto check directly whether the bus transfer has worked correctly.

Furthermore, the peripheral monitoring unit (4) with its transfer unit(5) is also capable of manipulating the data for the peripheralsafety-related unit (9). In particular, the peripheral monitoring unit(4) can overwrite data of the SPC and thus prevent agreement with thedata output from the peripheral safety-related unit (9). The peripheralsafety-related unit (9) becomes active only if it has received anagreement for the data of the output unit (10) via the checking unit(11).

The timing with the data transport is shown in the following table:

S ST 1 2 D3 C3 4 SR H MT A E A E A E A E A E A E A E MR 0 LB ST E1 E2 E3EC E4 ES W 3 R 1 AS LB LB ST ST E1 E1 E2 E2 E3 E3 EC EC E4 E4 ES R W w 33 R 2 A4 AS AS LB LB ST ST E1 E1 E2 E2 E3 E3 EC EC E4 R R W W 3 3 3 1 A4A4 AS AS LB LB ST ST E1 E1 E2 E2 E3 E3 EC R R W W 3 4 A3 1 AC A4 A4 ASAS LB LB ST ST E1 E1 E2 E2 E3 3 R R W W 5 A2 A3 A3 AC AC A4 A4 AS AS LBLB ST ST E1 E1 E2 3 3 R R W W 6 A1 A2 A2 A3 A3 AC AC A4 A4 AS AS LB LBST ST E1 3 3 R R W W 7 ST A1 A1 A2 A2 A3 A3 AC AC A4 A4 AS AS LB LB ST 33 R R W W 8 ST ST A1 A1 A2 A2 A3 A3 AC AC A4 A4 AS AS LB 3 3 R R W

The timing diagram shows the state after each shift information in thering by means of a preferred example, the Interbus system by PhoenixContact GmbH and Co. KG.

The information AC3 can be manipulated by the peripheral monitoring unit(4) with the transfer unit (5) and can be overwritten. The peripheralsafety-related unit (9) thus receives in its checking logic (11) anadditional information item which prevents a faulty output.

As can also be seen from the timing diagram, the peripheral monitoringunit (4) can also read the data of the output from the peripheralsafety-related unit (9) (EC3). These data represent the direct outputinformation of the peripheral safety-related unit (9) so that a buserror is reliably detected.

The internal configuration of the peripheral safety-related unit (9) isshown in FIG. 2.

The peripheral safety-related unit (9) consists of two bus units (22,23) so that input information can be fetched redundantly (24, 25). Inaddition, the output information Dn from a bus unit (22) is mapped viathe input section of the other bus unit (23). A possible error in theinternal storage or during the bus transport is thus detected in thesubsequent cycle of the bus transport. The output information Dn iswritten into the buffer (27) by the control unit (SPC).

However, the checking logic (11) additionally decides whether theinformation of the buffer (27) appears at the peripheral unit via theoutput logic (28). This checking logic (11) can either release thestored information via the line (30) or delete the state via the line(31) so that the output (29) brings the control process into a safestate.

In principle, however, the circuit arrangement operates in many areasjust like a normal decentralized SPC system. The components merelyadditionally allow inputs to be redundantly monitored and stored outputinformation to be examined for appropriateness, particularly freedomfrom faults before it is output. Furthermore, the monitoring unit canalso detect faults which have not only been produced by failure ordisturbance but were caused by an error in programming orparameterizing.

The present circuit arrangement thus allows data which are necessary forconfiguring fault-tolerant structures to be transmitted on standardring-shaped bus systems.

To implement the invention, a monitoring unit and peripheral input andoutput units transmitting or receiving data for control purposes areused.

The circuit arrangement handles the task of detecting any faults whichcan become a danger for the control process, particularly for thetransmission of control, sensor or actuator data, within a machine orplant. Due to its internal configuration, the circuit arrangementidentifies a possible error even before the error is transmitted to thecontrol process and initiates a protected switch-off. In thisarrangement, it is of no importance whether it is the external controlunit or the bus system used which is responsible for the error.

1. A system for protected data transmission in ring-shaped bus systems,comprising a control unit (1) which sends output data and checkingsignals for a control process to peripheral units (4, 7, 8, 9, 12), aperipheral monitoring unit (4) which has a first transfer unit (5) formonitoring the transmitted data and a second transfer unit (6) formonitoring data to be read back into the control unit (1), and at leastone peripheral safety-related unit (9) for receiving or transmittingsafety-related data, in which data are temporarily stored for output,which has a checking logic (11) for monitoring the temporarily storeddata and an output unit (10) for outputting the temporarily stored data,the temporarily stored data being monitored by the checking logic (11)in such a manner that, in the case of a fault, a safe state of theoutput unit (10) for the control process is initiated, the firsttransfer unit (5) monitoring the data sent out by the control unit (1),in such a manner that, in the case of a fault, release data for theperipheral safety-related unit (9) are suppressed or deleted so that thefaulty data do not reach the control process, particularly datatransmission sequences, wherein the input data of the peripheralsafety-related unit (9) and its temporarily stored data are read backvia the second transfer unit (6), whereby the peripheral safety-relatedunit (9) reads back the temporarily stored data via a bus unit (23),whereby the peripheral safety-related unit (9) comprises a further busunit (22) so that the peripheral safety-related unit (9) has redundantinput channels (24, 25) and thus redundantly monitors the connectedcontrol process and can detect a fault.
 2. The system as claimed inclaim 1, characterized in that the temporarily stored data and the inputdata of the peripheral safety-related unit (9) are provided to theperipheral monitoring unit (4).
 3. The system as claimed in claim 1,characterized in that the peripheral safety-related unit (9) has abuffer (27) which is read back by a bus unit (23) of said peripheralsafety-related unit (9) and is thus checked by the peripheral monitoringunit (4) even before release to the control process, particularly ofdata transmitted via the bus, via the output logic (28) with the outputsignal (29).
 4. The system as claimed in claim 1, characterized in thatthe checking logic (11) decides whether the data stored in the buffer(27) are output via the output logic (28).
 5. The system as claimed inclaim 1, characterized in that the checking logic (11) releases ordeletes the temporarily stored data.
 6. The system as claimed in claim1, characterized in that the peripheral monitoring unit (4) with thefirst transfer unit (5) is capable of manipulating the data for theperipheral safety-related unit (9).
 7. The system as claimed in claim 1,characterized in that the peripheral monitoring unit (4) overwrites dataof the SPC.
 8. The system as claimed in claim 1, characterized in thatagreement to a data output from the peripheral safety-related unit (9)is prevented by the overwriting of the data.
 9. The system as claimed inclaim 1, characterized in that the checking logic (11) receives from theperipheral monitoring unit (4) an information item which prevents afaulty output.
 10. The system as claimed in claim 1, characterized inthat the peripheral safety-related unit (9) only becomes active if ithas received an agreement for the data of the output unit (10) via thechecking unit (11).
 11. The system as claimed in claim 1, characterizedin that the peripheral units (4, 7, 8, 9, 12) themselves can performlogic operations.
 12. The system as claimed in claim 1, characterized inthat the peripheral monitoring unit (4) itself handles control functionsand thus a combined operation with a safety control unit is produced.13. The system as claimed in claim 1, characterized in that theperipheral safety-related unit (9) manages with standardnon-safety-related modules for the bus traffic and does not need anyspecial safety-related modules.
 14. The system as claimed in claim 1,characterized in that the system is operable in standard bus systems andis capable of operating without additional installation of further bussystems or special components.
 15. The system as claimed in claim 1,characterized in that the system is installable subsequently by addingthe peripheral monitoring unit (4) and exchanging normal peripheralunits for peripheral safety-related units (9).
 16. The system as claimedin claim 1, characterized in that the safety function of the system canalso be subsequently expanded by adding hardware elements or softwaremodules.